Join the community today
Register Now

Nginx [nginx-announce] nginx security advisory (CVE-2017-7529)

Discussion in 'Nginx and PHP-FPM news & discussions' started by eva2000, Jul 12, 2017.

  1. eva2000

    eva2000 Administrator Staff Member

    54,352
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    4:11 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Hello!

    A security issue was identified in nginx range filter. A specially
    crafted request might result in an integer overflow and incorrect
    processing of ranges, potentially resulting in sensitive information
    leak (CVE-2017-7529).

    When using nginx with standard modules this allows an attacker to
    obtain a cache file header if a response was returned from cache.
    In some configurations a cache file header may contain IP address
    of the backend server or other sensitive information.


    Besides, with 3rd party modules it is potentially possible that
    the issue may lead to a denial of service or a disclosure of
    a worker process memory. No such modules are currently known though.

    The issue affects nginx 0.5.6 - 1.13.2.
    The issue is fixed in nginx 1.13.3, 1.12.1.

    For older versions, the following configuration can be used
    as a temporary workaround:

    max_ranges 1;

    Patch for the issue can be found here:

    http://nginx.org/download/patch.2017.ranges.txt


    --
    Maxim Dounin
    http://nginx.org/
    _______________________________________________
    nginx-announce mailing list
    nginx-announce@nginx.org
    http://mailman.nginx.org/mailman/listinfo/nginx-announce

    Continue reading...
     
  2. eva2000

    eva2000 Administrator Staff Member

    54,352
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    4:11 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  3. rdan

    rdan Well-Known Member

    5,444
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    2:11 AM
    Mainline
    10.2
    Hi @eva2000

    I'm curious why this isn't set by default on CMM nginx.conf?
    I don't see much disadvantage setting it to 1.

    or even 0 for PHP/PHP-FPM request php.conf.

    https://calomel.org/nginx.html
     
  4. eva2000

    eva2000 Administrator Staff Member

    54,352
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    4:11 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    That security vulnerability in 1st post was already fixed way back.

    As to setting it default, I just haven't tested it to know the consequences so leave that up to end users Module ngx_http_core_module

    see how that calomel.org example shows max_ranges set per location context match i.e. for large zip files only - so dependent nature of large vs small file serving would be tricky to account for